我正在考虑从每个交易超过多行的邮件系统中提取日志 每一行都有不同的交易部分,它们可以与其他交易信息交织在一起 - 因此可以涉及多个线程 每个事务都有一个唯一的标识符作为时间戳之后的第一个字段。
我正在寻找帮助来定义处理这种情况的最佳方法。这是一个需要一个logstash聚合然后另一个logstash来执行字段提取的情况 - ? 这里有关于最佳过程的任何指针都感激不尽。 在输出中我理想地希望看到 时间,唯一标识符来源,目的地,主题
日志的一个例子如下:
2016-10-26 20:00:57 xxxxxx-xxxxxx-x1 <= <> H=smtp.org.com (mailrouter.org.com) [10.10.10.10] P=esmtp S=2597 id=201610260900.u9Q90tsK008439@sendingserver.org.com T="Email Subject"
2016-10-26 20:00:57 xxxxxx-xxxxxx-x1 => /dev/null (bounces@destination.com) <provision@destinationaddress.com> R=user_alias T=**bypassed**
2016-10-26 20:00:57 xxxxxx-xxxxxx-x1 Completed
2016-10-26 20:00:57 xxxxxx-xxxxxx-x4 <= <> H=smtp.com (mailrouter.org.com) [10.10.10.10] P=esmtp S=2620 id=201610260900.u9Q90tii008449@sendingserver.org.com T="other email subject"
2016-10-26 20:00:58 xxxxxx-xxxxxx-x6 <= <> H=Othermail.org.com (mailrouter.org.com) [10.10.10.10] P=esmtp S=2621 id=201610260900.u9Q90tvc008455@sendingserver.org.com T="another email subject"
2016-10-26 20:00:58 xxxxxx-xxxxxx-x6 => /dev/null (bounces@destination.com) <provision@destinationaddress.com> R=user_alias T=**bypassed**
2016-10-26 20:00:58 xxxxxx-xxxxxx-x6 Completed
2016-10-26 20:00:58 xxxxxx-xxxxxx-x9 DKIM: d=customer2.com.au s=cm c=relaxed/relaxed a=rsa-sha1 i=info@customer2.com.au [verification succeeded]
2016-10-26 20:00:58 xxxxxx-xxxxxx-x9 <= Wanted-yhqbhk1didkkhtklr1r@oddmail.com H=mailraouter4.org.com [10.20.20.40] P=esmtp S=29325 id=cm.2000327259153.yhqbhk.didkkhtklr.r@oddmail.com T="Yet another email subject"
2016-10-26 20:00:58 xxxxxx-xxxxxx-x9 => diane <diane@client.com> R=mysql_localuser T=mysql_delivery
2016-10-26 20:00:58 xxxxxx-xxxxxx-x9 Completed
2016-10-26 20:00:59 xxxxxx-xxxxxx-x4 => /dev/null (bounces@destination.com) <provision@destinationaddress.com> R=user_alias T=**bypassed**
2016-10-26 20:00:59 xxxxxx-xxxxxx-x4 Completed